There are some established facts on health care cybersecurity: The sector has, and will likely always be, a prime target for nefarious actors given its trove of data, endpoints, and the need to remain online to deliver patient care. These absolutes drive the need for better processes and procedures to ensure the protection of patient safety.
Hospitals and health care delivery organizations have faced some of the most historically stressful situations in the last year. But the majority of threat actors didn’t care much about the vulnerability of their targets and continued the spate of attacks. In short, providers are facing two kinds of pandemics, and actions are needed to at least alleviate the risk of long periods of downtime.
And yet, while there are plenty of compliance checklists, resources, and security standards, there’s no one-size fits all for any health care entity. As a result, the onus of securing the enterprise falls solely on the provider organization. And with limited security staff to go around, many are clearly struggling to keep pace and fully secure the enterprise.
Previous reporting boiled the sector’s posture down to one key point: enterprise security leaders can’t eliminate the risks. They assess the amount of risk the organization is willing to accept and everything else falls off the table.
How then, will a sector that’s expected to drive digital innovation secure these important projects and the overall health care network? SC Media sat down with two of Mitre's health care leaders to hear unbiased expertise on best practices, the power of practiced response plans, and the host of free resources that can fill some critical knowledge gaps.
To Margie Zuk, senior principal cybersecurity engineer for Mitre and the cyber engagement lead for health care in the Mitre Cyber Solutions Technical Center, they key is identifying the systems needed to maintain patient care and tying that into well-practiced response plans: “Those are the critical pieces.”
“In particular with health care, they have so many goals to address in a hospital, and patient safety is their top goal,” said Zuk. “People are becoming aware that security is a big piece of that due to the impacts of cyberattacks. I don’t think people previously linked that as closely as they do now.”
“Priorities will change as people understand the implications of attacks on the hospitals downstream,” she added.
This became particularly clear with the pandemic in the last year. With hospitals not having funds coming in through elective procedures and other care services, providers had to prioritize what they were doing, explained Penny Chase, information technology and cybersecurity integrator for Mitre.
As things begin to slow down, providers need to recognize the importance of shifting focus to cybersecurity priorities and addressing key vulnerabilities, because the threat actors have not taken a break.
Plan for inevitable downtime
One key effort from Mitre focuses on educating hospitals on the need to integrate their IT response plans with their all-hazard response plans to better understand what their critical systems are, as well as their downtime procedures.
Under the current threat landscape, hospitals have been suffering with systems down either from lack of an effective response plan or even preparation through training exercises, said Zuk.
“Hospitals have to be prepared for downtime and have to be prepared to go back to paper,” and that means understanding the procedures for critical systems and looping that back with the IT team, explained Zuk. “That way when an attack affects one of those systems, they can really respond in an organized way.”
Under The Health Insurance Portability and Accountability Act, covered entities are actually required to do preparedness exercises. Although most providers do, a lot of those plans don’t include cyber as a key piece. What’s more, the Centers for Medicare and Medicaid Services final rule for preparedness does include cyber as a key piece to exercise.
But providers should prepare, not just to get credit from a compliance standpoint, but because it’s crucial to ensure the plans will be effective if systems go down, said Chase.
Those plans are ineffective without training and testing for efficacy, added Chase. In one instance, a hospital experienced a ransomware attack but failed to print out a copy of their cyber insurance. Thus, they had no idea what vendors to call to find forensics support, as all the response information they needed was encrypted.
“It’s simple things like that,” said Chase. “Do you have all the key things you need to help you in your response? Are they online or have you printed them out? You’re prepared for downtime, right? Well, how do you know?”
The only way to make those key determinations that will better support entities in bringing systems back online after an inevitable attack is with preparation exercises based on those plans, focused on playing out certain scenarios right within your own environment, explained Zuk. The response plans need to identify the key people and how long the system can remain under downtime procedures.
The plans and subsequent exercises will need to address:
- When an attack occurs, how would the team validate it?
- Will we need to take a system down during an attack, or can a system remain online?
- How can the team ensure systems haven’t been compromised?
- Who do we need to tell an attack has occurred?
- Who needs to be at the table to set up the incident command structure?
Ensuring the response team knows the answers to these questions before an incident occurs is a critical element to preparedness, in addition to gaining a full picture into where the hospital stands in terms of cyber capabilities.
Zuk noted that a big piece of that is understanding all of the roles and responsibilities of those who will lead the response, as well as regional partners because “you don’t want to be calling people at the time of the incident.”
Cyber insurance policies are one example of that, but understanding the regional government and those people who can assist with an entity’s diversion strategy is an increasing issue for hospitals. Essentially, when a singular system or the whole network is taken down, a lot of services won’t be offered to patients.
When a provider has to divert patients to other hospitals, there’s a lot at risk in terms of patient safety. Zuk explained that “patient safety is definitely the first goal in all of this. It’s why Mitre always emphasizes the link between IT and downtime procedures.”
“In a hospital environment that’s the most critical,” she added. And that’s why leveraging those resources and understanding local support entities is so critical.
A prime example of this was seen with the Scripps Health ransomware attack and monthlong network outage in May. The attack spotlighted a number of key issues, including costs, the attack caused $112.7 million in lost revenue and recovery efforts, and the impact on local providers.
When care was diverted, nearby University of California San Diego Health was inundated with patients and struggled to keep pace with the influx of patients diverted from the downed hospital. The attack also showed how Scripps Health worked with the California Department of Health (CDPH), which assisted with messaging and evaluating patient safety amid the outage.
“The important thing is that if you do get hit, are you going to be in a position to recover? Having a good backup plan can help that,” she added. “The bad guys are getting better and look to see if [victims’] backups are on the file shares. But that’s why you need to have some kind of tiered function and make sure you have [the backup] disconnected, in off-site storage.”
Training users and bolstering cyber posture
Training is another crucial element for hospital cybersecurity, as some of these effective attacks get into the network by employees simply clicking on a link. Chase explained there’s a lot to worry about in a hospital environment, but the first line of defense is making sure users know not to click on unknown attachments.
But phishing attacks are increasingly using social engineering, which can make identifying malicious emails all the more challenging. Not only that, many entities hold positions where users are frequently sent emails with attachments, such as the human resource or accounting departments.
What then?
Email filtering gateways are a common tool, which can be effective when combined with user input and feedback to improve the effectiveness, explained Chase. It’s particularly helpful in combating attacks that have been tailored to a specific environment.
Asset identification is another crucial piece to securing the hospital environment. Zuk noted that providers are trying to save lives but are also seeking the latest technology, which means entities also need to have business processes in place to understand all of those assets as part of identifying all of the critical systems on the network.
Trusted backups are equally important. As Chase put it: “sometimes it’s not just the sexy new things, but just doing the important things as well… And that’s not as expensive as a lot of other things you can do.” And backups are valuable even when there isn’t a cyberattack, when a network outage occurs.
The procurement cycle is also a common weakness in the health care environment, often amplified by siloes between IT and security, as well other departments. Vendors are also a key contributor to security gaps, and Chase stressed that providers should push back more often on vendors.
Vendor contracts should include guarantees on timely patching and other organizational priorities, as the contracting process is the time to change some of the language to include important security elements like what happens when configuration issues arise, or challenges with passwords or maintenance.
Hospital leaders can “think about putting those elements into the contractual language when they're procuring things to try and help make sure that this is a shared responsibility, and that the onus doesn't fall completely on them. But there's things that they should ask their manufacturers to do,” said Chase.
Providers can also leverage the Mitre ransomware resource, which has a lightweight assessment called Cora, or the Cyber Operations Rapid Assessment. The tool enables health care delivery organizations to take a snapshot of their cybersecurity capabilities to gain specific recommendations on where the entity can improve.
Chase noted it was initially designed to assess an entity’s Security Operations Center capabilities, but it can be used even when a provider does not have a SOC. The provider will still need to figure out the costs and benefits, but CORA can get providers thinking about the tools they have in place.
Leveraging available resources
One positive from the steady wave of ransomware attacks has been a unified federal and private sector effort to better equip all U.S. entities with the needed tools to secure critical infrastructure.
From vendor and nonprofit offers of free ransomware assistance to health care providers, to frequent alerts and resources from federal agencies, there are many free tools that can even support entities without designated security leaders.
One of the most valuable resources is the 2019 Department of Health and Human Services voluntary cybersecurity guidance, which was crafted in partnership with industry stakeholders. The four-volume guide is tailored to provider size, as well as insights on the leading threats and needed policies and procedures for the health care environment.
Chase noted it’s a useful resource for those looking for a place to start or review, as it’s divided up into small, medium, and large hospitals resources.
There are also multiple ransomware resources that provide valuable insights for those entities looking to better understand the threat and needed best practices: Mitre, the Department of Homeland Security, and the Center for Internet Security.
The health care arm of Mitre is attempting to bring together everything providers might need to combat these threats and organize it in a way that can be easily accessed, explained Zuk. There’s the specific IT information and the systems entities need to be aware of, but there’s also elements beyond IT that are also critical.
Outside of those resources, both Zuk and Chase urged health care providers to join a threat sharing group to be informed of the latest threat impacting the sector, such as the Health Information Sharing and Analysis Center. H-ISAC releases regular threat briefings, with more timely releases on the website.
The FBI also has an information sharing framework called InfraGard. Any hospital can join and then enroll in the the health care working group where a lot of timely information is shared. InfraGard also has an active mailing list, and when someone sees something on their network, they will share that information as part of the trusted group.
“The threats are always changing and receiving current indicators of compromise that are shared among partners is really the most effective,” explained Zuk. Small providers can see a great benefit from joining one of these groups because they need that extra support.